Re: [mile] Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)
"Roman D. Danyliw" <rdd@cert.org> Thu, 02 June 2016 02:51 UTC
Return-Path: <rdd@cert.org>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCF7312D0FA; Wed, 1 Jun 2016 19:51:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b9GGJtLfvnSJ; Wed, 1 Jun 2016 19:51:56 -0700 (PDT)
Received: from shetland.sei.cmu.edu (shetland.sei.cmu.edu [192.58.107.44]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4058612B051; Wed, 1 Jun 2016 19:51:55 -0700 (PDT)
Received: from timber.sei.cmu.edu (timber.sei.cmu.edu [10.64.21.23]) by shetland.sei.cmu.edu (8.14.4/8.14.4/1543) with ESMTP id u522pr1T026318; Wed, 1 Jun 2016 22:51:53 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cert.org; s=jthatj15xw2j; t=1464835913; bh=/GUs+2I/U5kFcsM5/XZBziTgvyAnV1YkFAgB7svmbls=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version:Sender: Reply-To; b=QgwvUvq23misQRcUMW3IAk120H/NDIDnhKqWpZVRiRgv/n8QmkYfRQvkry17IQYL3 rLMvRlZAHFUp5dw32AhCGZGgYhrJXfOLFNmW7n5w3viuLTFhTnlAbWVuS3YQzpmXXw SVTsGKD5mNDGq9kJA2wC/6kzlPvdTBqeFScIzmrw=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by timber.sei.cmu.edu (8.14.4/8.14.4/1543) with ESMTP id u522nXUS030518; Wed, 1 Jun 2016 22:49:33 -0400
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASCADE.ad.sei.cmu.edu ([10.64.28.248]) with mapi id 14.03.0279.002; Wed, 1 Jun 2016 22:51:48 -0400
From: "Roman D. Danyliw" <rdd@cert.org>
To: Alissa Cooper <alissa@cooperw.in>, The IESG <iesg@ietf.org>
Thread-Topic: Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)
Thread-Index: AQHRu5WwUczmdwb9r0SVyBJ6rZUDLZ/VY1fw
Date: Thu, 02 Jun 2016 02:51:47 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFCD974F68E@marathon>
References: <20160531232347.20263.30439.idtracker@ietfa.amsl.com>
In-Reply-To: <20160531232347.20263.30439.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/mile/i-Fd4E_EhUNa65XUs-pAc4B2-Jg>
Cc: "mile@ietf.org" <mile@ietf.org>, "draft-ietf-mile-rfc5070-bis@ietf.org" <draft-ietf-mile-rfc5070-bis@ietf.org>, "mile-chairs@ietf.org" <mile-chairs@ietf.org>, "mile-chairs@tools.ietf.org" <mile-chairs@tools.ietf.org>
Subject: Re: [mile] Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: (with DISCUSS and COMMENT)
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2016 02:51:59 -0000
Hello Alissa! Thanks for the review. A response to the DISCUSS is inline ... > -----Original Message----- > From: Alissa Cooper [mailto:alissa@cooperw.in] > Sent: Tuesday, May 31, 2016 7:24 PM > To: The IESG <iesg@ietf.org> > Cc: draft-ietf-mile-rfc5070-bis@ietf.org; Roman D. Danyliw <rdd@cert.org>; > mile-chairs@tools.ietf.org; mile@ietf.org; mile-chairs@ietf.org; > takeshi_takahashi@nict.go.jp; mile@ietf.org > Subject: Alissa Cooper's Discuss on draft-ietf-mile-rfc5070-bis-22: (with > DISCUSS and COMMENT) > > Alissa Cooper has entered the following ballot position for > draft-ietf-mile-rfc5070-bis-22: Discuss [snip] > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > The Confidence class as defined in 3.12.5 seems underspecified. It does not > specify a max value, so some implementations might use 1 as the max while > others might use 100. Inherited from RFC5070, there are no ranges specified for a valid numeric confidence value. This was an explicit design choice kept in this draft to preserve flexibility. Acceptable ranges and how this value should be interpreted are handled out of band. This approach is consistent with the overall design of the data model. Consider that almost all of the classes in the data model are optional. The minimal valid document, shown is Section 7.1, isn't useful. Profiling between parties in a data sharing consortium will determine which optional-in-the-RFC classes should be mandatory-in-the-consortium. This thinking extends to the semantics of classes like Confidence. > It's also hard to understand how a single confidence value is supposed to be > applied to elements with multiple fields, as in 3.12 and 3.29. What do I do if I > have high confidence in my estimate of SystemImpact but low confidence in > my estimate of MonetaryImpact? If the child classes don't have the same Confidence, then each can be expressed in a distinct instance of the parent class. For the high confidence SystemImpact but low confidence MonetaryImpact do the following (per Section 3.12): <Incident ...> ... <Assessment> <SystemImpact>...</SystemImpact> <Confidence rating="low" /> </Assessment> <Assessment> <MonetaryImpact>...</MonetaryImpact> <Confidence rating="high"/> </Assessment> </Incident> This same approach doesn't apply to the Indicator class (Section 3.29). There is no way to granularly express a different confidence for different child elements that compose the Indicator. The value expressed in Indicator/Confidence is a reflection of the confidence in the totality of the information in that Indicator class. It would be relatively straightforward to add a Confidence class to Observable, IndicatorExpression, AttackPhase, Reference and AttackPhase. With some redesign, the same could be done for ObservableReference, IndicatorReference, StartTime and EndTime. > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > (1) Section 1: It would be useful to define "cyber," "cyber indicator" > (somewhere before 3.29), "cyber threat," and "cyber event." I chuckled when > I wrote that, but I'm serious. The term "cyber" did not appear in RFC 5070. It > has clearly taken on some (mythical, perhaps) meaning in venues external to > the IETF. I think if this document is going to use the term, it needs to explain > what it means. If there are some external definitions to point to or adopt, > that would be fine. After a search, it would appear that "cyber" is used in the abstract, Section 1.0 (Introduction), 1.3 (About the IODEF Data Model), 3.12.1 (SystemImpact), 3.12.2 (BusinessImpact), 3.28 (IndicatorData) and 3.29 (Indicator) -- 14 times total. That can be cleaned up. Specifically: ** Section 1.0 uses the term "cyber security event" once. I'm going to assume that isn't controversial. ** Sections 3.12.1 and 3.12.2 use the term "cyber physical system" four times. I'm going to assume this isn't controversial. ** s/cyber indicator/indicator/g will address four usages of "cyber"-as-an-adjective in the abstract; and Sections 1.0, 3.28 and 3.29 ** s/cyber incident report/cybersecurity incident report/g will address one more usage of "cyber"-as-an-adjective in Section 1.0 ** I'll reword "cyber threats" and "cyber event mitigation" in Section 1.0; and reevaluate the use of "cyber intelligence" > (2) Section 3.19.2: If I want to list the admin contact for a particular domain > in a Contact element within a DomainContacts element, do I set the role in > the Contact to "admin" or to "zone"? I think this is not entirely clear from > how the roles are specified in 3.9 since most of the roles are more generic > than "zone." I'd say "admin". You're right about the lack of symmetry of "zone" relative to the others. I'll dig through the mailing list to see if I can recollect why we have this value. At first blush, I'd say delete it. Roman
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… Kathleen Moriarty
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… Roman D. Danyliw
- [mile] Alissa Cooper's Discuss on draft-ietf-mile… Alissa Cooper
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… Roman D. Danyliw
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… Roman D. Danyliw
- Re: [mile] Alissa Cooper's Discuss on draft-ietf-… kathleen.moriarty.ietf